Cipheraft
Sign inJoin the waitlist

Privacy Policy

Last updated: 2026-05-26

cipheraft is operated by an individual — there is no marketing department, no data-broker contracts, and no third-party advertising. This policy explains, in plain language, what data we collect, why, and what we do with it.

1. Data we collect

  • Account data — your name, email, the subdomain you requested, and (optionally) a short blurb describing what you want to build. Provided by you when you join the waitlist.
  • Tenant content — everything you put in your portfolio: bio, experience, education, skills, projects, images, blog posts.
  • Contact-form submissions — when a visitor messages you via your contact form, we store the message so it can be retried if the mail relay is briefly unavailable. You can delete any submission from your admin.
  • Operational logs — minimal request logs (timestamp, path, anonymised IP) retained for 30 days for debugging and abuse prevention. We do not use cookies for analytics or tracking.
  • Mail metadata — when we send mail on your behalf via the platform SMTP relay, the message id and delivery status are kept for 14 days so you can troubleshoot bounces.

2. What we do not collect

  • No third-party advertising or marketing cookies.
  • No behavioural profiling, scroll tracking, or session recording.
  • No browser fingerprinting.
  • No selling, renting, or sharing of personal data with anyone, ever.

3. Why we collect it

We collect only what is strictly necessary to (a) run your portfolio site, (b) send mail you have asked us to send, and (c) prevent abuse of the shared infrastructure. We never use your data to train models or build advertising profiles.

4. Where it lives

Your data is stored in MongoDB Atlas (region: eu-west-1 by default) and served via Vercel's edge. Backups are encrypted and retained for 30 days. Mail is delivered via the SMTP credentials you provide; we do not retain SMTP passwords in plaintext.

5. Cookies

We set one strictly necessary cookie — your admin session token — when you log in. It expires after 14 days of inactivity. There are no analytics, advertising, or tracking cookies on the marketing site or on any tenant portfolio.

6. Sharing with third parties

The only third parties that handle your data are our infrastructure providers: MongoDB Atlas (database), Vercel (hosting, edge, deployment), and the SMTP provider you choose for outbound mail. Each is a data processor acting on cipheraft's instructions, bound by their own privacy commitments and our data-processing agreements.

We will disclose data only when legally compelled to do so (court order, valid law-enforcement request) — and where the law allows, we will notify you first.

7. Your rights

You have the right to access, correct, export, or delete any personal data we hold about you. Most of these you can do yourself from the admin panel. For anything else, email privacy@cipheraft.com and we will respond within 14 days.

If you are in the EU/UK, you also have the right to lodge a complaint with your local supervisory authority — though we'd love a chance to fix the problem first.

8. Children

cipheraft is not directed at children under 16. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Data retention

  • Active tenants — retained while the tenant is active.
  • Suspended tenants — retained indefinitely (so reactivation is possible) unless deletion is requested.
  • Deleted tenants — purged within 30 days; backups are rotated out within 60 days.
  • Waitlist applications — kept for 12 months unless you ask us to delete them sooner.

10. Changes to this policy

If we make material changes to this Privacy Policy, we will notify every active tenant by email at least 14 days before the change takes effect.

11. Contact

Privacy questions: privacy@cipheraft.com. General contact: hello@cipheraft.com.