Secrets by Ampersand
Sign in Get started

Legal

Privacy Policy

Last updated: 5 May 2026

Note. This policy is a draft tailored to how the service is built today. Have a qualified lawyer review it before relying on it for compliance with the GDPR, the Swiss FADP, or any other regime.

This policy describes what we collect, why we collect it, who we share it with, and the rights you have over your data when you use Secrets by Ampersand ("the Service", "we", "us").

1. Who we are

The Service is operated by Ampersand, based in Switzerland. Questions about this policy or your data should go to privacy@ampersand-hosting.test.

2. What we collect

We try to collect as little as we can. Concretely:

Account data. When you register, we store your name, email address, and a hashed password. If you enable two-factor authentication, we store a derived secret used to verify the codes you generate.

Team data. Each team has a name and a per-tenant cryptographic key used to derive the encryption keys for your secrets. The team key is stored encrypted at rest with a key we control.

Secret content. When you create a secret, the content (text, attachments, NDA documents, reference face images) is encrypted with a key derived from your team key plus the secret's unique identifier and — if you set one — your password. The Service does not retain the plaintext. Without the right inputs, the bytes on disk are mathematically inaccessible to us.

Recipient data. If you send a secret to named recipients, we store each recipient's email and (optionally) phone number, first name, and last name so we can deliver and verify the link.

Access logs. Each time someone accesses a secret link we record the IP address, user-agent, country code (derived from IP), the action they performed, whether it succeeded, a device fingerprint string, and — for successful views — a unique watermark identifier embedded in the rendered content.

Document signatures. When a recipient accepts a document or signs an NDA, we store the signed name, email, phone, signature image (if drawn), the IP address, country, the SHA-256 hash of the document at signing time, and the verification status (whether their email and SMS were verified).

Cookies. We set a session cookie (HTTP-only, SameSite=Lax) and an XSRF-TOKEN cookie used by the application's anti-CSRF mechanism. We do not use third-party analytics, advertising, or tracking cookies.

3. Why we collect it

  • Operate the Service — deliver links, verify identity, render content.
  • Provide an audit trail — for the legal and compliance use cases the Service is designed for.
  • Detect abuse — block IPs that exhibit brute-force patterns against password-protected secrets.
  • Communicate with you — operational emails, security notices, password resets.

We do not use your data for advertising, profiling, or training machine learning models.

4. Third parties we share data with

The Service relies on the following sub-processors. By using the Service you consent to data being processed by them for the purposes listed.

Provider Purpose Data sent
Amazon Web Services (AWS) Hosting and AWS Rekognition (face matching) Encrypted secret content; for face verification, the captured selfie and the reference image are sent unencrypted to Rekognition for the duration of the API call
Twilio / Brevo SMS verification codes Recipient phone number and the 6-digit code
Bunny Fonts Web fonts on public pages Standard request metadata
ip-api.com IP-to-country lookup for geographic restrictions Visitor IP address
Mail provider (SES / Postmark / similar — TBD at launch) Transactional email Recipient email and message body

We do not sell your data. We do not share it with any party not listed above.

5. Where data is stored

The Service runs in the EU region of AWS (Frankfurt by default, or another EU region as documented at launch). Some sub-processors above operate globally. Where data is transferred outside the EU/EEA, we rely on the European Commission's standard contractual clauses or equivalent adequacy mechanisms.

6. Retention

  • Account data — kept while your account is active. Deleted within 30 days of account closure, except where law requires longer retention.
  • Secrets — deleted when their expires_at lapses, when the link is consumed in single-use mode, or when you delete them manually. Encrypted attachments are deleted with their parent secret.
  • Access logs — retained for the period stated in your plan (30 days for Personal, 1 year for Team, configurable for Enterprise). Logs older than your retention window are purged.
  • Document signatures — retained for the lifetime of your account unless you ask us to delete them. Some signatures may be subject to separate legal retention requirements that you, as the document owner, determine.
  • Backups — encrypted backups are kept for up to 30 days for disaster-recovery purposes.

7. Your rights

Under the GDPR and the Swiss FADP you have the right to:

  • Access — get a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion ("right to be forgotten"), subject to legal retention obligations.
  • Restriction & objection — limit or object to processing.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — where processing is based on consent.
  • Lodge a complaint with a supervisory authority (the FDPIC in Switzerland; your local data-protection authority in the EU/EEA).

To exercise any of these, email privacy@ampersand-hosting.test. We respond within 30 days.

8. Security

We follow the security practices documented at ampersand-hosting.test/security (or as evolved over time). Highlights:

  • Content encrypted at rest with team-derived keys.
  • HTTPS enforced; HSTS in production.
  • Access-log audit trail for every secret view.
  • Multi-factor authentication required for team accounts.
  • IP rate-limiting and per-link brute-force lockouts.
  • No plaintext secret content in our logs or backups.

No system is perfectly secure. If we discover a breach affecting your data, we notify you and the relevant supervisory authority within 72 hours.

9. Children

The Service is not intended for users under 16 (under 13 in jurisdictions that permit it). If you believe a child has registered, contact us so we can delete the account.

10. Changes to this policy

If we change this policy materially we email account holders at least 14 days before the change takes effect. The "Last updated" date at the top is authoritative.

11. Contact

Ampersand Privacy team — privacy@ampersand-hosting.test