Back to Home

Privacy Policy

Last updated: February 2026

Introduction

PassLink is operated by CLOUDTASTIC SL. This policy explains how we handle data when you use our service. Because PassLink uses zero-knowledge encryption, we cannot access the content of your secrets. This policy covers the limited data we do process.

Data Controller

The data controller responsible for your personal data is:

CLOUDTASTIC SL

For privacy inquiries, contact us at privacy@passlink.click

What We Collect

We Never Collect

  • Your original secret content (encrypted before reaching our servers)
  • Encryption keys (stored only in the URL fragment in your browser)
  • Personal identification information
  • Login credentials (no accounts required)

We Temporarily Store

  • Encrypted data blobs (unreadable without the key)
  • Expiration timestamps
  • Optional password hashes (for protected secrets)

All encrypted data is automatically deleted after viewing or when the expiration time is reached.

Analytics & Cookies

When you provide consent via our cookie banner, we use Google Analytics 4 and Vercel Analytics to understand how the site is used. These services may set cookies and collect anonymized usage data such as page views, referrer URLs, and device type. You can withdraw consent at any time by clearing your browser storage.

For a detailed list of cookies, see our Cookie Policy.

Lawful Bases for Processing

We process data under the following legal bases:

  • Legitimate interest — operating and improving the service, rate limiting, and abuse prevention
  • Consent — for non-essential cookies and analytics tracking (obtained via cookie banner)
  • Contract performance — processing your encrypted data to deliver the secret-sharing service

Subprocessors

We use the following third-party services to operate PassLink:

  • Upstash — Redis database for encrypted secret storage (EU servers)
  • Vercel — Hosting and edge network (EU servers)
  • Google Analytics — Usage analytics, loaded only with consent (EU/US — Google LLC)
  • Resend — Email notifications for secret access alerts (EU servers)

International Data Transfers

All core infrastructure runs on EU-based servers. Google Analytics may involve data transfer to the US, as Google LLC is a US-based entity. Google operates under the EU–US Data Privacy Framework adequacy decision. All other subprocessors process data on EU servers.

Your Rights

Under GDPR and applicable privacy laws, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data
  • Restriction — request that we limit processing of your data
  • Portability — receive your data in a portable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — withdraw cookie/analytics consent at any time

To exercise any of these rights, contact us at privacy@passlink.click. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority.

Data Retention

Encrypted secrets are automatically deleted after being viewed or upon expiration (maximum 7 days). We do not keep backups of deleted secrets. Analytics data is retained according to Google Analytics and Vercel Analytics default retention policies.

Children's Privacy

PassLink is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.

Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by posting an updated version on this page with a revised date.

Contact

For privacy questions or to exercise your rights, contact us at privacy@passlink.click