Privacy Policy

(encrypt.lu / decrypt.lu)

Last updated: 12 February 2026

1. Controller

The controller responsible for data processing under Regulation (EU) 2016/679 (GDPR) is:

Marjan Skrobot
Sole trader
62, rue Marie-Adelaide, 2128, Luxembourg
Luxembourg
Email: legal@encrypt.lu

The service is operated under the commercial names encrypt.lu and decrypt.lu.

2. Nature of the Service

decrypt.lu is the recipient-facing side of the service. It lets you open shared links and decrypt .enc files in your browser. All decryption and password-based key derivation occur entirely within your browser.

The operator:

  • Does not receive decryption keys
  • Does not receive passwords
  • Cannot decrypt stored files
  • Does not access decrypted file contents

When you open a shared link, only encrypted data (ciphertext) is downloaded from the relay; decryption happens locally in your browser. The service stores only encrypted data on the relay.

3. Categories of Data Processed

3.1 Encrypted Files

When a file is uploaded:

  • The file is encrypted client-side.
  • Only the encrypted file (ciphertext) is transmitted.
  • The encrypted blob is stored in object storage.

Stored technical metadata includes:

  • Transfer ID
  • Upload timestamp
  • File size (bytes)
  • Download count
  • Retention setting
  • Expiry timestamp

We do not store:

  • Plaintext file names
  • File contents
  • Encryption keys
  • Passwords

3.2 IP-Based Abuse Prevention

We do not store raw IP addresses.

For abuse prevention and rate limiting:

  • A daily-rotating, non-reversible hashed identifier is derived from the connecting IP.
  • The original IP address is not stored.
  • The derived identifier automatically expires (typically within 24 hours).

Legal basis: Article 6(1)(f) GDPR (legitimate interest — service security and abuse prevention).

3.3 Aggregate Usage Statistics

We collect minimal, aggregate, non-identifying statistics:

  • Page views (count only)
  • Encrypt button clicks
  • Encryption mode selection
  • Retention option selection
  • Delete-after-download selection

We do not collect:

  • IP addresses
  • Cookies for tracking
  • Session identifiers
  • Device fingerprints
  • Account data

These statistics are stored only as aggregate counters.

Legal basis: Article 6(1)(f) GDPR (legitimate interest — service improvement).

3.4 Abuse Protection via Cloudflare

The service uses infrastructure provided by Cloudflare, Inc. When abuse thresholds are exceeded, Cloudflare Turnstile may be used to prevent automated misuse.

When verifying Turnstile, we do not send the user's IP address to Cloudflare; only the verification token is submitted. This limits the data shared with Cloudflare to the minimum necessary for abuse prevention.

Cloudflare may process technical information independently as a separate controller. International data transfers are safeguarded using appropriate mechanisms, including Standard Contractual Clauses.

4. Storage and Retention

Users may select:

  • 10 minutes
  • 1 hour
  • 1 day
  • 3 days

Encrypted files are automatically deleted after expiry. If "delete after first download" is enabled, deletion occurs immediately after successful download.

The operator does not guarantee absolute deletion in cases of system failure, force majeure, or infrastructure malfunction. However, deletion mechanisms are implemented in good faith.

5. Security Measures

Technical measures include:

  • Client-side encryption only
  • Argon2id for password-based key derivation
  • XChaCha20-Poly1305 authenticated encryption
  • TLS transport encryption
  • Automatic expiry deletion
  • No plaintext file storage

Despite these measures, no system can guarantee absolute security. Users remain responsible for protecting their passwords and links.

6. Your Rights

Under GDPR you may exercise:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction
  • Right to objection

Given the minimal and non-identifiable nature of stored data, exercising certain rights may not be technically possible.

You may lodge a complaint with:

Commission nationale pour la protection des données (CNPD)

7. No Warranty of Data Recoverability

Because encryption keys are never transmitted to the operator:

  • Lost passwords cannot be recovered.
  • Lost links cannot be recovered.
  • Deleted files cannot be restored.

The operator has no technical ability to recover user data.

8. Changes to This Policy

This Privacy Policy may be updated at any time. The current version is always available on this page.