Proofix

Privacy policy

Last updated: 1 May 2026

This privacy policy explains how Proofix (“we”, “us”) processes personal data when you use the Proofix secure file transfer service (the “Service”). We comply with the Swiss Federal Act on Data Protection (revFADP / nDSG, in force since 1 September 2023) and the EU General Data Protection Regulation (GDPR, Regulation 2016/679).

1. Controller

The controller responsible for processing your personal data is Digital Ledger Systems AG(Roosstrasse 53, 8832 Wollerau, Canton of Schwyz, Switzerland), trading as “Proofix”. Contact for data-protection matters: info@proofix.ch. The full legal entity details are listed in the Imprint.

2. Our privacy model: encrypt-before-upload

Every file is encrypted on your device with AES-256-GCM beforeit is uploaded. The decryption key is generated on your device and placed in the URL fragment of the download link, which browsers do not transmit to servers. When you choose “link-only” sharing, the key never reaches our servers and we cannot read the file. When you ask us to email the link to your recipient, our server briefly processes the full URL — including the key fragment — to compose and send the email; the key is not persisted. We process the minimum data required to operate the Service.

3. Personal data we process

3.1 Data you provide

  • Sender email address— to verify ownership and send confirmations.
  • Recipient email address— to notify the recipient that a file is waiting (if you choose email delivery).
  • File name, size, and a SHA-256 hash of the plaintext— used for integrity verification and the audit trail.
  • Optional message text— shown to the recipient.
  • Payment details (proof tier only)— processed directly by Stripe, Inc. We never receive your full card number.

3.2 Data we generate automatically

  • Transfer identifier (UUID) and creation/expiry timestamps.
  • SHA-256 hash of the recipient’s IP address and User-Agent— we do not store raw IPs.
  • Delivery and download eventsfor the sender’s audit trail.
  • RFC 3161 timestamp tokens (proof tier).
  • Server logs with correlation IDs, request paths, and status codes (retained up to 30 days).

4. Encrypted file content

The encrypted ciphertext is stored in object storage located in Switzerland. On the link-only sharing path, the decryption key never reaches our servers, so we cannot access the plaintext content. On the email-delivery path, the key fragment is handled in memory only to send the email and is not persisted — but this path is not strict zero-knowledge. For password-protected transfers, the AES key is wrapped with a PBKDF2-derived key and stored alongside the ciphertext; the wrapped blob cannot be unwrapped without the password. Upon expiry, revocation, or when the download limit is reached, the ciphertext is permanently deleted.

5. Legal bases (GDPR Art. 6)

  • Art. 6(1)(b)— performance of a contract: to provide the Service you requested.
  • Art. 6(1)(f)— legitimate interests: fraud prevention, service integrity, audit trail for the sender.
  • Art. 6(1)(c)— legal obligation: to comply with tax, accounting, and law-enforcement requests.

6. Retention periods

  • Encrypted file content: deleted at the earlier of: expiry date you chose (1, 7, or 14 days), the download limit being reached, or sender-initiated revocation.
  • Transfer rows: retained until expiry / revocation; status row preserved as audit evidence afterwards.
  • Email delivery audit (email_events) and download audit (download_events): 24 months from creation, then automatically purged.
  • Email outbox (email_outbox): 30 days after successful delivery, then automatically purged.
  • Rate-limit counters: 1 hour after the window expires.
  • Proof records (timestamp tokens, canonical hash, hash input):retained indefinitely for legal reference and evidentiary continuity. This retention is justified under GDPR Art. 17(3)(e) (“establishment, exercise or defence of legal claims”).
  • Payment records: retained for 10 years in accordance with Swiss Art. 958f OR.
  • Server logs: retained for up to 30 days.

7. Recipients and sub-processors

We share data only with service providers strictly necessary to operate the Service. The complete, current list with addresses, processing location and data categories is published on the Subprocessors page. In summary:

  • Object storage of encrypted blobs: Infomaniak Network SA, Geneva (Switzerland).
  • Email delivery: Infomaniak Network SA (Switzerland).
  • Payment processing: Stripe Payments Europe Ltd, Dublin (Ireland), with infrastructure operated by Stripe Inc. in the United States. See Stripe’s privacy policy.
  • Timestamping: internal, Proofix-operated Swiss-hosted timestamping service. No third party involved.

Each subprocessor is bound by a data-processing agreement (DPA / AVV) that meets the requirements of GDPR Art. 28 and the Swiss nDSG, including confidentiality, security measures (Art. 32), sub-processor approval, and return / deletion at end of contract. We notify users at least 30 days in advance of any change to this list.

8. International transfers

Primary data storage of encrypted file content and transfer metadata remains in Switzerland (Infomaniak data centres in Geneva).

Limited payment metadata (Stripe PaymentIntent ID, amount, sender email for refund correlation) is transferred to Stripe Inc. in the United States via Stripe Payments Europe Ltd in Ireland. The transfer is covered by:

  • The EU-U.S. Data Privacy Framework (DPF), under which Stripe Inc. is self-certified;
  • The Swiss-U.S. Data Privacy Framework, the Swiss extension of the DPF recognised by the Federal Data Protection and Information Commissioner (FDPIC) as an adequate safeguard under FADP Art. 16;
  • EU Standard Contractual Clauses (SCCs, Decision 2021/914)as a back-up safeguard, included in Stripe’s DPA.

We never transmit your card number, CVC, or expiry to Stripe ourselves — those values are entered directly into the Stripe Elements widget in your browser and posted to Stripe, not to our servers.

9. Your rights

Under the GDPR and nDSG you have the right to:

  • Access your personal data (Art. 15 GDPR / Art. 25 nDSG).
  • Rectify inaccurate data (Art. 16 GDPR).
  • Erase data where no legal obligation prevents it (Art. 17 GDPR / Art. 32 nDSG).
  • Restrict or object to processing (Art. 18, 21 GDPR).
  • Data portability (Art. 20 GDPR).
  • Lodge a complaint with a supervisory authority — in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); in the EU, your local data protection authority.

To exercise any right, email info@proofix.ch. We will respond within 30 days.

10. Security

We apply technical and organisational measures informed by ISO 27001 guidance, including client-side encryption, TLS 1.3 in transit, AES-256 at rest, least-privilege access, and structured audit logging. Proofix is not ISO 27001 certified and does not currently hold SOC 2, HIPAA, or equivalent third-party certifications. See the Security page for architectural detail.

11. Changes to this policy

We may update this policy to reflect changes in law or our Service. Material changes will be notified in-app and via email where we have your address on file. The date at the top reflects the latest revision.

12. Contact

For data-protection questions: info@proofix.ch.