Privacy Policy

Introduction to Our Privacy Policy

Digital Shell ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our secure sharing service at the-shell.com (the "Service").

We operate on a privacy-first architecture, which means your encrypted vault data is never accessible to us. Your documents, credentials, notes, and files are encrypted on your device before being transmitted to our servers.

By using Digital Shell, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies, please do not use our Service.

Information We Collect

Account Information

When you create an account, we collect:

• Email address — Used for authentication, account recovery, and important service communications
• Authentication data — Magic link tokens, OTP codes, or OAuth tokens (Google sign-in)
• Device information — Device identifiers for multi-device sync and security

Encrypted Vault Data

Your vault data (documents, credentials, notes, credit cards, and files) is end-to-end encrypted. We store this encrypted data on our servers, but we cannot read or access its contents. Only you hold the encryption keys.

Usage Data

We automatically collect certain information when you use our Service:

• IP address and approximate location (country/region)
• Browser type and version
• Pages visited and features used
• Time and date of access
• Referring website or source

Payment Information

Payment processing is handled by a trusted third-party provider. We do not store your full credit card number, CVV, or other sensitive payment details. Our payment provider gives us limited information such as the last four digits of your card and billing address for record-keeping.

How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Service
• Process your transactions and manage your subscription
• Send you important service updates and security alerts
• Respond to your inquiries and provide customer support
• Monitor and analyze usage patterns to improve user experience
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

We will never use your encrypted vault data for advertising, analytics, or any purpose other than providing the Service to you.

Data Storage and Security

Security Architecture

Digital Shell uses a privacy-first security model. Your encryption keys are never transmitted to or stored on our servers. All encryption and decryption happens locally on your device.

Security Measures

We implement industry-standard encryption and security measures to protect your data. All data is encrypted both at rest and in transit.

Infrastructure Security

Our infrastructure is hosted on secure cloud providers with SOC 2 compliance. We implement industry-standard security measures including firewalls, intrusion detection, and regular security audits.

How We Share Your Data

We do not sell, rent, or trade your personal information to third parties. We may share limited information with:

Service Providers

We work with trusted third-party service providers for payment processing, hosting, and infrastructure services. These providers are contractually obligated to protect your data and use it only for the services they provide to us.

Legal Requirements

We may disclose your information if required by law, court order, or government request. However, due to our security architecture, we cannot provide access to your encrypted vault data even if compelled—we simply do not have the keys.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change and your options regarding your data.

Your Rights (GDPR/CCPA)

Depending on your location, you may have certain rights regarding your personal data:

For All Users

• Access — Request a copy of your personal data
• Correction — Update or correct inaccurate data
• Deletion — Request deletion of your account and data
• Export — Download your data in a portable format

For EU/EEA Residents (GDPR)

• Right to restrict processing
• Right to object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

For California Residents (CCPA)

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

To exercise any of these rights, please contact us.

California Consumer Privacy Act (CCPA) Rights

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights regarding your personal information. This section supplements the information provided elsewhere in this Privacy Policy and applies only to California residents.

Right to Know

You have the right to know what personal information we collect about you, including the categories of personal information collected, the categories of sources from which it is collected, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it. You may also request the specific pieces of personal information we have collected about you in the preceding 12 months.

Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain legal exceptions (for example, where we must retain information to complete a transaction, comply with a legal obligation, or detect security incidents).

Right to Opt-Out of Sale or Sharing

You have the right to opt out of the "sale" or "sharing" of your personal information as those terms are defined under the CCPA/CPRA. We do not sell or share your personal information, and we have not done so in the preceding 12 months. We also do not sell or share the personal information of minors under 16.

Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Limit Use of Sensitive Personal Information

You have the right to limit our use and disclosure of sensitive personal information to uses necessary to provide the Service. Because our zero-knowledge architecture means we cannot access the contents of your vault, we do not use your encrypted vault data for any purpose other than delivering the Service to you.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Exercising these rights will not affect the price or quality of the Service, and we will not deny you access to the Service or provide a different level of service because you exercised your rights.

How to Exercise Your CCPA Rights

To exercise any of the rights described above, California residents (or their authorized agents) may contact us:

• Email: contact@the-shell.com
• Contact Form: the-shell.com/contact

We will verify your request by matching the information you provide against the information we have on file (for example, the email address associated with your account). We will respond to verifiable consumer requests within the timeframes required by the CCPA. You may designate an authorized agent to make a request on your behalf by providing written authorization.

Data Retention and Deletion

We retain your data as follows:

• Account data — Retained while your account is active
• Encrypted vault data — Retained while your account is active
• Usage logs — Retained for up to 90 days
• Payment records — Retained for 7 years for tax and legal compliance

When you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

Children's Privacy

Digital Shell is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us, and we will delete such information.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Data processing agreements with our service providers
• Encryption of all sensitive data

Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve our Service. For detailed information about the cookies we use, please see our Cookie Policy.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date.

For significant changes, we will also send you an email notification. We encourage you to review this Privacy Policy periodically.

Contact Us About Privacy

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: contact@the-shell.com
• Contact Form: the-shell.com/contact

For GDPR-related inquiries, you may also contact your local data protection authority. California residents may exercise CCPA rights as described in the California Consumer Privacy Act (CCPA) Rights section above.