Legal
Privacy Policy
Last updated: 5 May 2026
This policy describes what we collect, why we collect it, who we share it with, and the rights you have over your data when you use Secrets by Ampersand ("the Service", "we", "us").
1. Who we are
The Service is operated by:
Ampersand Labs by Davide Morotti Flüelastrasse 10 8048 Zürich Switzerland
Email: privacy@ampersand.ch
For the purposes of the GDPR, Ampersand Labs is the controller of the personal data processed through the Service. For the purposes of the Swiss FADP, we are the responsible private body within the meaning of Art. 5(j) FADP.
2. What we collect
We try to collect as little as we can. Concretely:
Account data. When you register, we store your name, email address, and a hashed password. If you enable two-factor authentication, we store a derived secret used to verify the codes you generate.
Team data. Each team has a name and a per-tenant cryptographic key used to derive the encryption keys for your secrets. The team key is stored encrypted at rest with a key we control.
Secret content. When you create a secret, the content (text, attachments, NDA documents, reference face images) is encrypted with a key derived from your team key plus the secret's unique identifier and — if you set one — your password. The Service does not retain the plaintext. Without the right inputs, the bytes on disk are mathematically inaccessible to us.
Recipient data. If you send a secret to named recipients, we store each recipient's email and (optionally) phone number, first name, and last name so we can deliver and verify the link.
Access logs. Each time someone accesses a secret link we record the IP address, user-agent, country code (derived from IP), the action they performed, whether it succeeded, a device fingerprint string, and — for successful views — a unique watermark identifier embedded in the rendered content.
Document signatures. When a recipient accepts a document or signs an NDA, we store the signed name, email, phone, signature image (if drawn), the IP address, country, the SHA-256 hash of the document at signing time, and the verification status (whether their email and SMS were verified).
Cookies. We set a session cookie (HTTP-only, SameSite=Lax) and an XSRF-TOKEN cookie used by the application's anti-CSRF mechanism. We do not use third-party analytics, advertising, or tracking cookies.
3. Why we collect it
- Operate the Service — deliver links, verify identity, render content.
- Provide an audit trail — for the legal and compliance use cases the Service is designed for.
- Detect abuse — block IPs that exhibit brute-force patterns against password-protected secrets.
- Communicate with you — operational emails, security notices, password resets.
We do not use your data for advertising, profiling, or training machine learning models.
4. Legal basis for processing
For users in the EU/EEA, we rely on the following bases under Art. 6 GDPR:
- Contractual necessity — Art. 6(1)(b). Account data, team data, secret content, recipient data, document signatures, and operational emails are processed to deliver the Service you have asked us to provide.
- Legitimate interests — Art. 6(1)(f). Access logs, device fingerprints, and abuse-detection signals are processed for the security, integrity, and availability of the Service. Our legitimate interest is operating a non-abusable zero-knowledge secret-sharing platform; you may object at any time (see Section 9).
- Legal obligation — Art. 6(1)(c). Where applicable law requires us to retain or disclose specific data (e.g. accounting records, lawful orders from competent Swiss authorities).
- Consent — Art. 6(1)(a). For optional features that ask you explicitly. You may withdraw consent at any time without affecting processing carried out beforehand.
For users in Switzerland, the corresponding bases under Art. 31 FADP apply (contractual performance, overriding private or public interest, legal obligation, or consent).
5. Automated decision-making
The recipient identity-verification feature uses AWS Rekognition to compare a captured selfie to a reference image and return a similarity score. The sender configures the threshold; the outcome only controls whether a specific link unlocks in a specific session, and senders can override or reissue links.
We do not use this feature, or any other processing, to make decisions about you that produce legal effects or similarly significantly affect you within the meaning of Art. 22 GDPR / Art. 21 FADP. If you believe a verification outcome has affected you significantly, you may request human review by writing to privacy@ampersand.ch.
6. Third parties we share data with
The Service relies on the following sub-processors. By using the Service you consent to data being processed by them for the purposes listed.
| Provider | Location | Purpose | Data sent |
|---|---|---|---|
| Hetzner Online GmbH | Falkenstein, Germany (EU) | Application hosting, database, backups | All data stored by the Service (encrypted at rest where applicable) |
| Amazon Web Services (AWS) — Rekognition | EU region | Face matching for recipient identity verification | The captured selfie and the reference image are sent unencrypted to Rekognition for the duration of the API call; AWS retains no images after the call |
| Amazon Web Services (AWS) — Secrets Manager | EU region | Storage of service credentials | Operational credentials only; no personal user data |
| Brevo (Sendinblue SAS) | EU (France) | SMS verification codes | Recipient phone number and the 6-digit code |
| Bunny Fonts | EU | Web fonts on public pages | Standard request metadata |
| ip-api.com | EU | IP-to-country lookup for geographic restrictions | Visitor IP address |
| Brevo (Sendinblue SAS) | EU (France) | Transactional email | Recipient email and message body |
We do not sell your data. We do not share it with any party not listed above.
7. Where data is stored
The Service is hosted by Hetzner Online GmbH in Falkenstein (Saxony, Germany), within the EU/EEA. All application data — accounts, encrypted secret content, recipients, logs, and database backups — sits on EU infrastructure.
Switzerland benefits from a European Commission adequacy decision, so transfers between the German hosting infrastructure and our Swiss operations are permitted without additional safeguards.
Some sub-processors listed in Section 6 (for example AWS Rekognition or AWS Secrets Manager) may process limited personal data in regions outside the EU/EEA or under US-parent control. Where personal data is transferred to a country without an adequacy decision under either the GDPR or the FADP, we rely on the European Commission's Standard Contractual Clauses (with the FDPIC's Swiss addendum where relevant) and carry out a transfer impact assessment in line with Schrems II / FDPIC guidance, applying additional technical and organisational safeguards where required.
8. Retention
- Account data — kept while your account is active. Deleted within 30 days of account closure, except where law requires longer retention.
- Secrets — deleted when their
expires_atlapses, when the link is consumed in single-use mode, or when you delete them manually. Encrypted attachments are deleted with their parent secret. - Access logs — retained for the period stated in your plan (30 days for Personal, 1 year for Team, configurable for Enterprise). Logs older than your retention window are purged.
- Document signatures — retained for the lifetime of your account unless you ask us to delete them. Some signatures may be subject to separate legal retention requirements that you, as the document owner, determine.
- Backups — encrypted backups are kept for up to 30 days for disaster-recovery purposes.
9. Your rights
Under the GDPR and the Swiss FADP you have the right to:
- Access — get a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure — request deletion ("right to be forgotten"), subject to legal retention obligations.
- Restriction & objection — limit or object to processing.
- Portability — receive your data in a machine-readable format.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint with a supervisory authority (the FDPIC in Switzerland; your local data-protection authority in the EU/EEA).
To exercise any of these, email privacy@ampersand.ch. We respond within 30 days.
10. Security
We follow the security practices documented at ampersand.ch/security (or as evolved over time). Highlights:
- Content encrypted at rest with team-derived keys.
- HTTPS enforced; HSTS in production.
- Access-log audit trail for every secret view.
- Multi-factor authentication required for team accounts.
- IP rate-limiting and per-link brute-force lockouts.
- No plaintext secret content in our logs or backups.
No system is perfectly secure. If we discover a breach affecting your data, we notify the relevant supervisory authority (FDPIC, and where applicable EU/EEA authorities) within 72 hours of becoming aware, and notify affected users where the GDPR/FADP requires it.
11. Children
The Service is not intended for users under 16 (under 13 in jurisdictions that permit it). If you believe a child has registered, contact us so we can delete the account.
12. Changes to this policy
If we change this policy materially we email account holders at least 14 days before the change takes effect. The "Last updated" date at the top is authoritative.
13. Contact
Ampersand Labs by Davide Morotti Flüelastrasse 10 8048 Zürich Switzerland
Privacy team — privacy@ampersand.ch
You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland, or with your local data-protection authority in the EU/EEA.