Privacy Policy

CloudStorage.io ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our S3-compatible cloud storage service ("Service").

This policy applies to all visitors to our website and all registered users of the Service. By using CloudStorage.io, you acknowledge that you have read and understood this Privacy Policy.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. For the purposes of the GDPR, we act as the data controller with respect to your account information and as a data processor with respect to any personal data you store using the Service.

We collect and process the following categories of personal data:

Account Information

• Email address (required for registration and communication)
• Password (stored as a salted, one-way hash; we never store plaintext passwords)
• Account creation date and last login timestamp

Billing Information

• Payment method details (processed and stored by Stripe; we do not store full card numbers)
• Stripe customer ID and subscription ID
• Billing history and invoice records
• Selected storage plan and quota

Usage Data

• Storage usage metrics (total bytes stored, number of objects and buckets)
• API request logs (request type, timestamp, bucket/object path, response status code)
• IP addresses used to access the Service
• S3 access key identifiers (not secret keys)

Your Stored Data

Objects and files you upload to the Service are stored as-is. We do not inspect, analyze, or index the contents of your stored data. We have no knowledge of what your objects contain and treat all stored data as opaque binary content.

We use your personal data for the following purposes, each with a lawful basis under the GDPR:

• Service delivery (contractual necessity): To create and manage your account, authenticate requests, store and serve your data, and process payments.
• Service communication (contractual necessity): To send you transactional emails such as account verification, password resets, billing receipts, and service notifications (e.g., storage quota warnings, scheduled maintenance).
• Security and abuse prevention (legitimate interest): To monitor for unauthorized access, detect abuse, enforce our Terms of Service, and protect the integrity of the Service.
• Service improvement (legitimate interest): To analyze aggregate usage patterns (not individual user data) in order to improve performance, reliability, and capacity planning.
• Legal compliance (legal obligation): To comply with applicable laws, regulations, and legal processes.

We do not use your personal data for advertising, profiling, or automated decision-making. We do not sell, rent, or trade your personal data to any third party.

All data is stored exclusively within the European Union. We operate dedicated infrastructure in two data center locations:

• Helsinki, Finland
• Falkenstein, Germany

Your stored objects are automatically replicated across both data centers for redundancy. Account data and metadata are stored on servers within these same EU locations. No data is transferred outside the EU/EEA as part of normal service operations.

We implement the following security measures to protect your data:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are hashed using bcrypt with per-user salts
• S3 secret keys are encrypted at rest and only displayed once at creation time
• Access to infrastructure is restricted to authorized personnel via SSH key authentication
• Server access logs and security events are monitored and retained
• Regular security updates are applied to all systems

We use a limited number of third-party services to operate CloudStorage.io. We only share the minimum data necessary for each service to function:

Stripe (Payment Processing)

We use Stripe to process payments and manage subscriptions. When you add a payment method, your card details are sent directly to Stripe and are never stored on our servers. Stripe acts as an independent data controller for payment data. Please refer to Stripe's Privacy Policy for details on how they handle your information.

Data shared with Stripe: email address, payment method details, billing amounts, and Stripe customer/subscription identifiers.

Emailit (Transactional Email)

We use Emailit to send transactional emails such as account verification, password reset links, and billing notifications. Emailit processes email data on our behalf as a data processor.

Data shared with Emailit: recipient email address and email content (subject line, body text).

Infrastructure Provider

Our servers and storage infrastructure are hosted on dedicated hardware in EU data centers. Our infrastructure provider supplies the physical data center facilities but does not have access to the data stored on our servers. The provider is based in the EU and operates under GDPR.

We do not use any analytics services, advertising platforms, social media trackers, or CDNs that would process your personal data.

We use a minimal number of cookies, strictly limited to those necessary for the Service to function:

• Session cookie: Used to maintain your authenticated session after login. This is a strictly necessary cookie and does not require consent under GDPR. It is deleted when you log out or when your session expires.

We do not use any analytics cookies, advertising cookies, or third-party tracking cookies. We do not participate in any cross-site tracking or advertising networks.

We retain your data for the following periods:

• Account data: Retained for the duration of your account and for 30 days after account deletion to allow recovery.
• Stored objects: Retained for the duration of your account. Upon account termination, objects are retained for 30 days and then permanently deleted, including all replicas.
• API access logs: Retained for 90 days for security monitoring and debugging purposes, then automatically purged.
• Billing records: Retained for 7 years after the end of your subscription to comply with financial record-keeping obligations under EU law.
• Server and security logs: Retained for 90 days, then automatically purged.

If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data under the GDPR:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you.
• Right to rectification (Article 16): You have the right to request that we correct any inaccurate personal data.
• Right to erasure (Article 17): You have the right to request that we delete your personal data, subject to any legal retention obligations.
• Right to restriction of processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
• Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Article 21): You have the right to object to processing of your personal data based on legitimate interests.
• Right to withdraw consent (Article 7): Where processing is based on consent, you have the right to withdraw consent at any time.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, as required by the GDPR. We may ask you to verify your identity before processing your request.

You also have the right to lodge a complaint with a supervisory authority. If you are in Finland, the relevant authority is the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).

As noted above, all stored data and account data remain within the EU. However, certain third-party processors (Stripe) may process limited data in the United States. Where such transfers occur, they are protected by:

• The EU-US Data Privacy Framework (for Stripe, which is a certified participant)
• Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable

We regularly review our third-party processors to ensure that adequate safeguards are in place for any data that may be accessed or processed outside the EEA.

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal data, please contact us at [email protected].

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes take effect constitutes your acceptance of the revised policy.

If you have any questions about this Privacy Policy, your personal data, or wish to exercise your data protection rights, please contact us at:

Email: [email protected]

For data protection inquiries, please include "Privacy" in the subject line so we can direct your request appropriately.