Short version: We collect only what is needed to operate ServerCrate. We cannot read your backup files. We do not sell your data.
#1. What We Collect
- Account information: Email address, optional name, and hashed password
- Usage information: Storage amounts, login times, snapshot counts, device names, and service activity needed to operate your vault
- Billing information: Stripe customer and subscription IDs (for card payments), PayPal order and payer IDs (for PayPal payments), or BTCPay invoice IDs (for Bitcoin payments). We never store raw card data. Bitcoin transactions never touch a third-party processor.
- Technical information: IP addresses for security and rate limiting, session tokens, and basic operational logs
#2. What We Cannot See
Backup data is encrypted client-side. We do not have your encryption key. The ciphertext stored on our systems is unreadable without it.
#3. How We Use Information
- To provision and operate your backup vault
- To process payments and manage subscriptions
- To send transactional emails such as verification, password reset, billing, and service notices
- To detect abuse, fraud, and unauthorized access
- To monitor service health and reliability
#4. Sharing
We do not sell your data. We share information only with service providers needed to operate ServerCrate, such as Stripe and PayPal for billing, and relevant infrastructure providers, or when legally required to do so.
#5. Retention
Account data is retained while your account is active. Vault data is deleted within 30 days of deprovisioning unless a longer retention period is legally required. Billing records may be retained for up to 7 years for accounting and compliance purposes.
#6. Cookies
We use HTTP-only session cookies for authentication and security. We do not run third-party advertising trackers. We do not use your data for ads.
#7. Security
We use HTTPS, HTTP-only Secure cookies, CSRF protection, password hashing, rate limiting, TOTP-based 2FA, and isolated customer environments. No system is perfect, but we design around minimizing exposure and protecting account access.
#8. Your Rights
You may request access to, correction of, or deletion of your personal data, subject to legal and operational requirements. Contact privacy@servercrate.net.