Your data.
Your keys.
Our ciphertext.

ServerCrate is designed as a zero-knowledge backup service. This means your backup data is encrypted on your device using your encryption key before it is transmitted to our servers. We receive and store only ciphertext — encrypted binary data that is unreadable without your key.

We do not hold your encryption key. We cannot decrypt your vault contents. If we receive a legal demand for your backup data, we can only provide encrypted ciphertext that is meaningless without your key.

We collect the minimum necessary to operate the service:

• Account informationName, email address, and hashed password used to authenticate and identify your account.
• Billing informationHandled by our payment processor. We retain only a billing reference, last four digits of your card, and invoice history.
• Service usage dataBackup job metadata such as snapshot timestamps, storage volume, and agent version. Never file contents or filenames.
• Transport logsIP addresses and connection timestamps used to detect abuse and maintain service security. Retained for 30 days, then deleted.
• Support communicationsAnything you send us directly via email or support tickets.

• Your encryption key or passphrase — ever
• The contents of your backup files or directories
• File names, paths, or directory structure from your backups
• Any data from inside your encrypted vaults

We use the information we collect only for these purposes:

• To provision and maintain your account and vault
• To process billing, invoices, and renewals
• To send critical service alerts and account notices
• To detect and prevent abuse, fraud, and unauthorized access
• To improve service reliability and operational quality
• To comply with legal, tax, and regulatory obligations

All ServerCrate infrastructure is located in our Los Angeles, California environment. Your encrypted vault data does not leave the United States unless you specifically configure a geo-redundant plan.

• Active vault dataRetained for the duration of your subscription plus a 14-day grace period after cancellation.
• Account informationRetained for up to 90 days after account deletion for fraud prevention, then permanently purged.
• Billing recordsRetained for 7 years as required by US tax law.
• Transport logs (IP)Retained for 30 days, then automatically deleted.

When you cancel, your encrypted vault data is permanently deleted from our storage systems within 30 days. We do not keep shadow copies or cold-storage archives of your data after deletion.

We do not sell, rent, or trade your personal information. We may share limited data only in these circumstances:

• Payment processingWe use a third-party payment processor to handle billing. They receive your billing details under their own privacy policy.
• Legal requirementsWe may disclose account information — not vault contents, which we cannot decrypt — if required by valid legal process. Where legally permitted, we will notify you before complying.
• Business transferIn the event of an acquisition or merger, customer data may be transferred. We will notify you with at least 30 days' notice and you will have the option to delete your account before any transfer.
• SafetyWe may disclose information if we have a good-faith belief it is necessary to prevent imminent harm to a person.

We use a small number of third-party services to operate our business:

• Payment processorFor subscription billing. Card data is handled by them directly; we do not store it.
• Transactional emailFor sending service alerts and invoices. We share your email and the content of system notifications only.
• Google AnalyticsOn our marketing website only — not in the backup agent or dashboard. See Section 8 for details.

We do not use third-party cloud storage providers such as AWS S3 or Google Cloud Storage to store your vault data. Your encrypted backups are stored on infrastructure we control directly.

Our marketing website uses Google Analytics to understand aggregate visitor behavior — pages visited, referral sources, and session duration. No personally identifiable information is intentionally linked to analytics data.

We use a small number of strictly necessary cookies to keep you logged in to your account dashboard. We do not use advertising cookies or third-party behavioral tracking.

Regardless of your location, we extend the following rights to all customers:

• AccessYou may request a copy of the personal data we hold about your account.
• CorrectionYou may update or correct your account information at any time from your dashboard.
• DeletionYou may delete your account and associated data at any time. Vault data is purged within 30 days.
• PortabilityYour vault data can be downloaded and decrypted locally at any time using your encryption key. You are never locked in.
• ObjectionYou may object to any processing we perform and we will review the request promptly.

To exercise any of these rights, email privacy@servercrate.net. We will respond within 30 days. California residents may have additional rights under CCPA.

We take security seriously — it is the core of our product:

• All data in transit is protected with TLS 1.3
• Vault contents are encrypted with AES-256 client-side before transmission
• Our infrastructure is operated on hardware we control directly
• Account access is protected by strong password requirements and optional multi-factor authentication
• Access to production systems is restricted to a need-to-know basis

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to security@servercrate.net. We will acknowledge receipt within 48 hours.

ServerCrate is a professional service intended for adults and businesses. We do not knowingly collect personal information from anyone under the age of 13. If you believe a minor has created an account, contact hello@servercrate.net and we will remove the account promptly.

If we make material changes to this policy, we will notify you by email at least 30 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of ServerCrate after changes take effect constitutes acceptance of the updated policy. If you disagree with changes, you may delete your account before they take effect.

For privacy questions, data requests, or concerns:

• Privacy emailprivacy@servercrate.net
• General emailhello@servercrate.net
• Mailing addressServerCrate, Los Angeles, CA, USA
• Response timeWe aim to respond to all privacy-related inquiries within 5 business days.