Effective date: February 25, 2026
1. Data Controller
anonym.plus ("we", "us", "our") is the data controller responsible for your personal data. For questions about this policy or your data rights, contact us at privacy@anonym.plus.
2. Personal Data We Collect
We collect only the minimum data necessary to provide our service:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, login, support | Contract performance (Art. 6.1.b) |
| Authentication hash | Zero-knowledge login verification | Contract performance (Art. 6.1.b) |
| Machine fingerprint | License activation (device binding) | Contract performance (Art. 6.1.b) |
| IP address | Rate limiting, security, activation logs | Legitimate interest (Art. 6.1.f) |
| Payment information | License purchases (via Stripe/PayPal) | Contract performance (Art. 6.1.b) |
What we do NOT collect
- We never see, store, or have access to your password (zero-knowledge authentication).
- We do not collect analytics, tracking cookies, or behavioral data.
- Documents processed by the desktop app stay on your device. We never receive, store, or access your documents.
- We do not use third-party advertising or marketing tools.
3. How We Use Your Data
- Account management: Creating and maintaining your account, authenticating logins.
- License activation: Binding licenses to your registered machines.
- Payment processing: Processing payments through Stripe and PayPal.
- Support: Responding to your support requests.
- Security: Preventing abuse via rate limiting and lockout mechanisms.
4. Sub-Processors
We share data with the following third-party processors, solely for the purposes stated:
| Processor | Purpose | Data Shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Email, payment details |
| PayPal Holdings, Inc. | Payment processing | Email, payment details |
| Hosting provider (Hetzner Online GmbH) | Server infrastructure | IP addresses (server logs) |
| ipwho.is (Lunanode) | Download geolocation analytics (country/city only) | IP address at time of download (not stored; only country/city result is retained) |
| Resend, Inc. | Transactional email delivery | Email address, email content (account notifications) |
5. Data Retention
- Account data: Retained until you delete your account.
- Activation logs: IP addresses in activation logs are automatically nulled after 90 days; log entries themselves are retained for auditing.
- Download analytics: IP addresses are sent to ipwho.is for geolocation lookup and are not stored by us; only country and city are retained. IP addresses in download event records are nulled after 90 days.
- Audit logs: Maximum 1,000 entries, with entries older than 90 days automatically removed.
- Support tickets: Retained for the duration of your account.
- Payment records: Retained as required by tax and accounting regulations (typically 7 years).
When you delete your account, all personal data is permanently removed, including machine records and activation history. Active licenses are revoked.
6. Your Rights (GDPR Articles 15-22)
You have the right to:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16): Correct inaccurate data.
- Erasure (Art. 17): Delete your account and all associated data via the account dashboard or by contacting us.
- Restriction (Art. 18): Restrict processing in certain circumstances.
- Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Objection (Art. 21): Object to processing based on legitimate interests.
To exercise any of these rights, email privacy@anonym.plus. We will respond within 30 days.
7. Cookies and Local Storage
We do not use tracking cookies. Our website uses:
- Session tokens (localStorage): To keep you logged in. These contain no personal data beyond an encrypted session identifier.
- No third-party cookies: We do not use analytics, advertising, or tracking cookies of any kind.
8. Security Measures
We implement the following technical and organizational measures to protect your data:
- Zero-knowledge authentication (your password is never transmitted to or stored on our servers).
- TLS 1.2/1.3 encryption for all data in transit.
- Database credentials encrypted at rest (AES-256-GCM).
- Rate limiting and account lockout mechanisms against brute-force attacks.
- Admin access protected by two-factor authentication (TOTP).
- Automated audit logging of all administrative actions.
9. International Data Transfers
Our servers are located in the European Union. Payment processing through Stripe and PayPal may involve transfers to the United States under their respective Standard Contractual Clauses (SCCs) and Data Processing Agreements.
10. Children's Privacy
Our service is not directed at children under the age of 16. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this privacy policy to reflect changes to our practices or for legal reasons. We will post the updated policy on this page with a revised effective date.
12. Contact
For privacy-related questions, data access requests, or complaints:
- Email: privacy@anonym.plus
- Support form: anonym.plus/contact
You also have the right to lodge a complaint with a supervisory authority in your country of residence.